Compliance Isn’t Enough to Meet Cyber Threats, Experts Say

To meet today’s cybersecurity threats, and those that experts predict will pop up in the near future, government agencies will have to do more than just meet compliance guidelines, according to current and former government officials.

“I would argue compliance is a nice check at the end of a process, but I think the fundamental problem is that we don’t even really know what’s at risk,” said Thomas Donahue, research director of the Cyber Threat Intelligence Integration Center. “We are constantly surprised by interdependencies. We are surprised that some piece of data turned out to be much more valuable than we realized. In some cases, we’re surprised that the data even existed in the first place. I would say that we’ve been following the Pied Piper down this world of efficiency, and the Pied Piper is now here to collect your children.”

Neal Ziring, technical director of the Capabilities Directorate at the National Security Agency, agreed that compliance should operate as a baseline, but doesn’t go far enough to ensure cybersecurity.

“There are two problems with the way we view it today,” said Ziring. “The first one is that they’re too static. We tend to write these sort of compliance things like a static set of NIST 800-53 controls, and you name it ‘Intelligent Overlay A,’ and that particular one has been the same for something like four or five years. And then the second bit is that compliance today is measured too infrequently.”

Rear Adm. Timothy White, commander of the Cyber National Mission Force in U.S. Cyber Command, told MeriTalk that there are a few things government agencies should be doing to ensure baseline, continuous compliance. First, the C-suite needs to be held accountable for breaches that occur due to compliance failures, and those expectations should be listed in their job description. In addition, purchasing automated tools to check for compliance would enable agencies to check cybersecurity compliance on a daily basis, since changes in networks and the threat landscape can alter whether an agency meets standards.

“We know what good looks like, it’s just hard to get there, and expensive,” said James Trainor, senior vice president of the Cyber Solutions Group at Aon and former assistant director of the FBI Cyber Division.

However, meeting compliance and even adding on innovative defensive strategies can give hackers an incentive to employ even more advanced attack technologies.

“A completely compliant entity I think would be viewed by ne’er-do-wells as a challenge, and challenges quickly become targets,” White said.

Ziring specifically worried that the same artificial intelligence technologies that are employed to defend against attack could also be used to attack more effectively.

“There is no law that these advanced cognitive techniques can only be used by defenders,” Ziring said. “Machine learning chews on data. The less data you give it, the more effective at abating it, I think you’re going to be.”

“Everywhere that we have forecasted that technology will be a savior, it has provided a substantial improvement in a lot of ways, mostly in ways that we didn’t anticipate or build into the blueprint or get approved through the funding line, but it has also come with attendant vulnerabilities and potential for compromise that we didn’t understand,” added White.

The experts also warned that future hacking techniques will likely focus on data itself, rather than ransoming that data. Hackers will also likely target data that can harm more than one entity, such as bank data that hurts the bank and its customers.